Washington State Patrol Non-Criminal Justice Agency Compliance Audit Process Marsha Stril WSP Compliance Auditor 360-534-2135 Introduce yourself. Have others introduce themselves.
Introductions Your name Your title
Fingerprints How do you verify that the person in front of you is who they say they are? Verified forms of identification Current, valid, unexpired picture identification document (driver’s license)
Secondary forms of identification State Government Issued Certificate of Birth U.S. Active Duty/Retiree/Reservist Military Identification Card (000 10-2) U.S. Passport Federal Government Personal Identity Verification Card (PIV) Department of Defense Common Access Card U.S. Tribal or Bureau of Indian Affairs Identification Card Social Security Card Court Order for Name Change/Gender Change/Adoption/ Divorce Marriage Certificate (Government Certificate Issued) U.S. Government Issued Consular Report of Birth Abroad Foreign Passport with Appropriate Immigration Document(s) Certificate of Citizenship (N560) Certificate of Naturalization (N550) INS I-551 Resident Alien Card Issued Since 1997 INS 1-688 Temporary Resident Identification Card INS I-688B, I-766 Employment Authorization Card
Garbage in, Garbage out
Audit for compliance
Here’s the Deal How is this change relevant to what I do? What specifically should I do? How will I be measured and what consequences will I face? What tools and support are available? What’s in it for me?
Overview Criminal Justice Information Services (CJIS) Security Policy Statutory Authority Review User Agreements/Memorandum of Understanding (MOU) Criminal History Lifecycle Security Storage/Retention Dissemination Destruction Media Security Audit Process During today’s instruction you will learn to correctly identify the audit components of the Non-criminal justice agency compliance audits. You will understand basic security awareness requirements and you will be able to confidently prepare for the NCJA audit knowing what to expect and how to create policies that comply with the areas outlined in this presentation.
CJIS Security Policy http://www.fbi.gov/about-us/cjis Federal Requirements Protect the full lifecycle of the Criminal History Record Information (CHRI) Whether at rest or in transit Applies to Non-Criminal Justice Agencies (NCJA) Provides a secure framework of laws and standards http://www.fbi.gov/about-us/cjis Federal guidelines Governs the use dissemination storage destruction of criminal history record information. Applies to non-criminal justice agencies: with access to Or who operate in support of Criminal justice services and information
Criminal History Record Information (CHRI) Lifecycle Requested (fingerprints) Delivered (encrypted email) What happens next? Where is it being stored? How long do you keep it? How is it destroyed? How secure is your agency IT system? Authorized-need to know basis. Common purpose.
Is the CHRI Secure? Personnel Who has access to it? Are they sharing it? With whom? Location Controlled access Password protected Storage How long can you retain it? “Shoulder Surfers” How long? Only when it is a key element in an ongoing investigation or the integrity of a case.
Secure? What is your perception, based on our discussion, of the security issues in this office? What could they do to fix it? Best practice would be to have a lockable cabinet with only authorized personnel having the key, or keep the cabinet in a locked room when unattended.
Storage/Retention Store CHRI in a secure records environment Dedicated area with restricted access Retain CHRI only as long as it pertains to a particular event Licensing Employment Fitness determination
State & Federal CHRI CHRI cannot be shared with any internal or external body not involved in the fitness determination of an applicant CHRI cannot be given to a person or entity that has no direct interest (secondary dissemination). CHRI can be given to the applicant upon request Verify ID CHRI can be shared when the applicant presents government issued ID.
Is it okay to share (disseminate) the results to anyone else? Dissemination of CHRI Is it okay to share (disseminate) the results to anyone else?
Here is an example The State Department of Education (DOE) conducts state and national fingerprint-based fingerprint CHRI checks under an approved state statute. Ms. Doe applies to work for the Wonder County Board of Education (BOE). The BOE conducts a state and national fingerprint-based CHRI check on Ms. Doe. The results of the national CHRI check are disseminated to the State Identification Bureau (SIB). The SIB disseminates the record to the State DOE, who is turn disseminates the record to the Wonder County BOE.
Remember: Safety First! DESTRUCTION OF CHRI Janitorial staff is fingerprinted, right? They won’t look at the items in my wastebasket. They will just throw it away. Handout the Macy’s Day parade article. Talk about it. What are the authorized methods of destruction? Remember: Safety First!
Macy’s Day Parade Story
Federally Approved Methods of CHRI Destruction Incineration Shredding
Media Security “at rest or in transit”
Let’s review….. Security Storage & Retention Dissemination Destruction Personnel & environment Storage & Retention Where & how long Dissemination Authorized or not Destruction Only two authorized methods Media Security
Any Questions so Far?
Audit Process Not as scary as you may think.
It’s not that bad! NCJA audits are mandated to the state repository (WSP) by the FBI On-site and/or Mail-in Triennial audit cycle (every 3 years)
The Audit Covers Security Retention/Storage Dissemination Destruction Media Security Statutory Authority Review User Agreements/Memorandum of Understanding (MOU) Required “Security Awareness Training” The formal audit is composed of these aspects. As you can see, we’ve discussed most of them already. The records sections we haven’t covered yet are: Statutory authority review verifies that your code or statute contains the categories of applicants for which you are submitting fingerprints. Fingerprint rejection rate is the percentage of request submitted by your agency that are rejected by the FBI for poor fingerprint quality. ORI/RFP usage review compares the reason for fingerprinting listed on the submitted fingerprint card against the reason your agency has on file and how it was received at WSP.
Statutory Authority Authorized by state statute [ Revised Code of Washington (RCW)] Can also be authorized by ordinance Federal Regulations (HUD, etc.) For purposes of employment, licensing, fitness determination and/or emergency placement
Memorandum of understanding (MOU) The FBI requires WSP to have an MOU with each of the non-criminal justice agencies (and criminal justice agencies) that submit fingerprint based state and federal background checks The purpose of this MOU is to set policy to ensure the protection of CHRI between WSP, the agencies, and the FBI
Why Audit???? The intention of the audit process is to: Help agencies implement and/or review policies, meeting state and federal security standards Increase safety practices with regards to CHRI Limit Agency Liability (MOU)
Pre-Audit Pre-audit questionnaire and an audit worksheet are sent out prior to on-site or mail-in audit WSP auditor draws a sample of data, verifying information The agency returns the completed documents-(timelines are important) Why??? The auditor will notify you of the data drawn and the requested date and time for an on-site or mail in (correspondence) review
During the Audit Verify information provided Verify Training requirements Security Awareness Training mandatory in 2013 Verify the security of the process Verify the security of your IT services Verify storage procedures Verify how CHRI is disseminated Verify how CHRI is destroyed Verify MOU’s that cover these areas
Post Audit Conversation, compliance and completeness Areas of concern noted Compliance letter sent to the audited agency Agency is given 30 days to respond with an action plan Be responsive Official letter with completed findings sent to the audited agency within 10 business days of reaching compliance standards satisfactorily The TAC and the agency head are invited to the table to talk about the items of concern. Compliance is driven by the FBI CJIS standards. Complete understanding by the time I leave your facility.
As we move forward Open and transparent communication Clarification of any misunderstandings What can the Washington State Patrol do to assist you?
Questions??? WSP Compliance Auditor Marsha Stril Marsha.Stril@wsp.wa.gov Office: 360-534-2135 NCJA webpage: http://www.wsp.wa.gov/_secured/ncja/ncja.htm